One of the internal controls that SOX is interested in auditing is the source code access process. This falls under one or two of the IT internal controls.

SOX Audit
To pass the required tests, the company must provide a source code access process that requires the owner of the code to approve access before granting it.
It also requires that only approved developers have write access to the source code and that those same developers do not have access to the application in production.

In addition, it requires a review, usually semi-annual, of the access to the code and an audit trail of this review.

If you can provide this evidence, you can pass this internal control test.

Evidence

Prove there is a process for granting source control access
Provide regular access review to source code
Show how the process works
Provide user access lists

Sample SVN Access File

[groups]
dev = mit\mjb, mit\bjl, umn\tjd
scm = mit\dearking, umn\stixrud

[/]
@dev = rw

[/admin/svn_access]
@scm = rw

SOX Solution

Create and document a source code access process and follow it.

Periodically, review the users who have access, make the required modifications and show the audit trail.

Create source code owners who are responsible for source code access and review.

Document source code access request and approvals.

Provide documentation for SOX Auditors for tracking and Audit evidence proof.

Best Practices

Use a reliable and dedicated server to house your code
Backup your code daily
Test your backup and restore processes
Choose a source control tool that fits your organization's requirements
Perform all tool specific administrative tasks
Keep your code repositories as clean as possible
Secure access to your code
Source Control Administration

Links

Definition of Information Technology Table of Contents

Definition of Information Technology Definition of Information Technology describes the primary function of Information Technology. Along with the scope of IT Services and Technologies provides to the Information Technology Services Customers.

Cloud Computing Cloud Computing is the use of Internet computer and software technologies to provide a variety of computer services. It is more than virtual servers. It is a way to increase capacity or add capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. The name Cloud comes from the common diagram of the Internet as it is often depicted in computer network diagrams.

Disaster Recovery The purpose of this page is to establish a standard for disaster recovery for systems, applications and their configurations.

ITIL ITIL, Information Technology Infrastructure Library, is a set of best practices that support the delivery of Information Technology Services.

ITIL V3 ITIL v3, Information Technology Infrastructure Library, is a set of best practices that support the delivery of Information Technology Services.

Six Sigma Six Sigma seeks to identify and resolve the causes of defects and errors in engineering and business processes. It uses a set of quality management methods, including statistical methods, and creates a special infrastructure of people within the organization who are experts in these methods. Each Six Sigma project carried out within an organization follows a defined sequence of steps and has quantified financial targets.

SOA Strategies SOA Strategies, the importance of IT articulating the value of its technology strategy to corporate decision makers, the correlation between architecture and successful business-driven initiatives such as cloud computing and software as a service, and how to avoid common architecture mistakes.

SOX SOX, Sarbanes Oxley, reporting and testing requirements are mandating formal approvals and reviews of people who have access to application source code.

SOX Source Code SOX Source Code how to maintain a SOX audit for source code control, you must maintain access control and provide an audit trail of access.

SCMWise Software Configuration Management SCMWise is dedicated to SCM. This site is a central repository for the collection of best practices, processes, methodologies and tools that surround SCM.